I have filtered bt-dht UDP packets. Can Wireshark decode the bencoding for me?

edit

The answer is yes! Wireshark will be happy to decode the bencoding, and interpret those packets as bt-dht. However, you need to tell Wireshark to do it.

Here is what to do:

1. Capture a sequence of packets, including BitTorrent Mainline DHT packets to and from the port which your BitTorrent client uses.
2. In Wireshark, in the Analyze menu, select the Enabled Protocols… item. The Enabled Protocols dialogue appears. It refers to a Profile, so you may be able to save these settings.
3. In the Enabled Protocols dialogue, scroll down to the entry "BT-DHT" (BitTorrent DHT Protocol). Be sure the checkbox in the left column is checked.
4. Click OK. The Enabled Protocols dialogue disappears.
5. In the packet listing, select a packet to or from your BitTorrent client. A filter of udp.port == 51413 (or whichever port your client uses) will ensure that the list contains only BitTorrent packets.
6. In the Analyze menu, select the Decode As… item. The Decode As dialogue appears.
7. In the Decode As dialogue, specify that the UDP port equals (the port number used by your BitTorrent client, e.g. 51413). In the menu of protocols on the right, select the "BH-DHT" protocol. The details of this dialogue differ between Wireshark 1.2.8 and 2.6.7, so look to the Decode As dialogue documentation for specifics.
8. Press OK. The Decode As dialogue disappears. In the middle pane of the main Wireshark window, where there are a list of lines for the layers of protocols of the current packet, there will be an entry underneath "User Datagram Protocol". It reads "BitTorrent DHT Protocol".
9. Click the disclosure triangle to the left of the line, "BitTorrent DHT Protocol". The DHT fields of the current packet appear.

From there, it's pretty straightforward to explore.

The fields of the BT-DHT are given in the Display Filter Reference pages for BitTorrent DHT Protocol.

From the "Type" column on this page, you can determine how to build display filters for DHT packets. A field which has Type of "Label" cannot be used with == or other operators. You can only search for its presence: bt-dht.peer finds packets which contain Peer fields, probably as a response to a request. A field which has the type of "string" can be compared using quoted strings, or unquoted hex for a binary string value: bt-dht.bencoded.string == 64230fc9afbef7ff8d7986403109b408d1360c15 finds packets containing a binary string which is represented as that hexadecimal value. In my case, it is the infohash of a torrent I want to share.

Using display filter expressions in a similar way, you can colour packets according to different stages in the DHT protocol. But that is a topic for a different note.

This worked for me in both Wireshark 1.2.8, installed from macports and running under X11, and Wireshark 2.6.7, installed as a Mac app downloaded from wireshark.org. In both cases my OS is macOS 10.11 El Capitan.